U.S. Agencies Get 'C-' For Computer Security

According to an annual report card required by federal legislation, the majority of twenty-four U.S. government agencies continued to score sub-par grades in computer security for 2006.While the overall grade of the agencies averaged to a 'C-' — a slight improvement over the 'D+' received in 2005 — the individual grades ranged across the spectrum. Some of the U.S. government's largest agencies — including the Departments of Commerce, Defense, Education, State, and Treasury — scored failing grades.Other agencies dramatically improved their grades from last year. The Department of Health and Human Services improved last year's 'F' to a 'B' in 2006, while the Department of Housing and Urban Development jumped from a 'D+' to an 'A+', according to the score card .
The grades are based on numerical scores ranking the agencies' compliance with the Federal Information Security Management Act (FISMA) of 2002, which requires that the agencies secure their information systems according to guidelines developed by the National Institute of Standards and Technology and file annual reports about their compliance.
"FISMA is to some extent a paper exercise," said Jeremy Nazarian, vice president of marketing at network security firm Lumeta. "And, although it's not a complete representation of how an agency is doing, the score is ultimately a decent measure of how well aligned an organization is with security policies as defined by NIST."The FISMA grades are based on the security reviews performed by the agencies, including progress in correcting previously identified weaknesses and the results of system hardening. Each agency is required to submit a report on their findings by October to the Office of Management and Budget.